Q: I’ve been told that my passwords should now be at least 10 characters long in order to be secure nowadays. Is that true?
A: Passwords tend to be the only thing separating criminals and thieves from our online accounts, which is why they spend so much time creating sophisticated means in which to compromise them.
Just about all the advice you’ll ever hear about creating "strong passwords" is generally designed to thwart sophisticated guessing schemes commonly referred to as "brute-force attacks."
Brute-force attacks, which are generally performed offline by high-speed computer networks, are a systematic process of trying every possible combination of letters, numbers and special characters until the correct combination is figured out.
Long, complex passwords are the best way to combat this type of attack.Understanding brute-force attacksIf you were to only use two characters for your password, you can see how a high-speed computer could guess every possible combination in the blink of an eye.
In fact, the Gibson Research Password Haystack Tool suggests that any two-character password can be broken in 0.0000000000354 seconds or less
Each additional character that you add exponentially increases the number of possible combinations, so the longer your password is, the longer it will take for a brute-force attack to be successful.
Most of you have been trained to use complex eight-character passwords, which are hard for you to remember and easy for attackers to crack. With today’s sophisticated password cracking technology, GRC’s tool suggest it’ll take just over a minute to break any eight-character password, no matter what combination of characters you use.
By stretching the password to 10 characters, that one minute goes to one week, as long as you have included uppercase characters, numbers and special characters.Use passphrases, not passwordsIf you don’t follow the guidance on using all the required characters, the number of possible combinations drops exponentially.
For instance, the time that it takes to crack a complex 10-character password that does not include an upper case letter goes from one week down to just over six hours.
The key to creating strong complex passwords that you can remember is to stop using passwords and start using passphrases.
My go-to example of "I H8te Passwords!" is a 17-character passphrase (including spaces) that GRC’s tool suggests would take 13.44 billion centuries to crack.
By creating a passphrase that is personal to you, you have a much better chance of creating a long complex password that you can easily remember.
For example, "I’m Going To Aruba in 2017!" is 27 characters long and uses all the required characters. Some sites don’t allow you to use spaces, but it would still be 22-characters long.12-character minimumI personally shoot for at least 12-character passphrases these days, knowing that brute-force cracking technology is going to get faster as time goes on.
If time weren’t a factor, any password of any length can eventually be broken, but time is a factor with cyberthieves, so make your passwords long and complex enough that your accounts aren’t worth their time.Copyright 2016 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.